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(57) ABSTRACT 

A method and apparatus limit access to network elements. A 
network authentication key server generates a current key 
and transmits it to a plurality of network authentication 
nodes, each node being associated with one or more network 
elements. The server receives user requests for access to a 
given network element and determines whether the user is 
authorized to access the requested element. If access is 
granted, the request is modified to include the most current 
key. The request as modified is forwarded toward the 
requested network element. The modified request can be 
intercepted by the associated network authentication node 
and the request can be either passed through to the network 
element or discarded, depending on whether the request 
includes information that matches a current key maintained 
within the network authentication node. 

23 Claims, 3 Drawing Sheets 
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FIG, 1 
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FIG. 2 
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FIG, 3 
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METHOD AND APPARATUS FOR LIMITING 
ACCESS TO NETWORK ELEMENTS 

This application is a continuation of Ser. No. 09/135,086, 
filed Aug. 17, 1998, now U.S. Pat. No. 6256.735. 

BACKGROUND OF THE INVENTION 

The present invention is directed to a method an apparatus 
for limiting access to network elements. More particularly, 
the present invention is directed to a method and apparatus 
for limiting access to network elements having disparate 
operating systems to only those users being authorized to 
access the respective elements. 

Various communication network configurations are 
known in the art. Typically such communication network 
configurations include a plurality of different network ele- 
ments. The network elements can be supplied by various 
vendors and therefore implement different types of inter- 
faces. Similarly, the different types of network elements, 
which may be intelligent devices that include some process- 
ing capabilities, operate with different operating systems, for 
example different versions of Unix or DOS or Windows. 

One example of an arrangement of network elements is 
illustrated in FIG. 1. In this particular arrangement a user 
may have access to various network elements via personal 
computer (PC) 101. The PC may be coupled to a router 102 
via a wide area network (WAN) or local area network (LAN) 
connection. It would be possible to use TCP/IP transport 
protocols for initiating communications from the PC. The 
router can be coupled to different network elements such as 
a signal control point (SCP) 103, a signal transfer point 
(STP) 104 and a terminal server 105 which constitutes an 
additional intelligent device that interfaces to yet additional 
network elements. Examples of such additional network 
elements include a voice mail server (VMS) 107, a switch 
108 which could be a Lucent Technologies 5ESS switch, and 
a Signal Access Cross Connect System (DACS) 109, It 
should be understood that this is merely an example of an 
arrangement of network elements and is not the sole repre- 
sentation of a configuration in which problems arise that can 
be addressed by the present invention. 

In such network configurations employing a plurality of 
different network elements, it is difficult to provide a unified 
solution for limiting access by the user to each and every one 
of a plurality of the network elements. The problem arises 
because the different network elements operate with differ- 
ent operating systems and, as indicated before may be 
supplied by different vendors with different communication 
specifications. Therefore, typically each individual network 
element would have to operate some sort of authentication 
process to determine whether an individual user has access 
to that particular element. This requires different implemen- 
tations of authentication processes depending upon the 
design of the respective network elements. 

Another network where this problem arises is in a wire- 
less cellular network where access is needed to a variety of 
network elements. Again, since the various network ele- 
ments may have different operating systems with different 
degrees of authentication capability, it can be difiScult to 
implement a universal solution that will force authentica- 
tions. 

It would be beneficial to have an arrangement by which 
access could be limited to the disparate network elements 
using a unified solution that is independent of the operating 
systems of the respective elements, 

SUMMARY OF THE INVENTION 
In accordance with an embodiment of the present 
invention, access to network elements is limited such that 
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one authentication arrangement can service a plurality of 
network elements. In one specific embodiment, a network 
authentication key server generates a key of a predetermined 
length and transmits it to various network authentication 

5 nodes, each node being associated with at least one network 
element. When a user requests access to a given network 
element, the network authentication key server can detect 
whether the user is authorized to access the requested 
network element. If the user is permitted to access the 

ID element, then the server can modify the user's request 10 
include the most current network authentication key. The 
modified request is then forwarded to the network element 
in question. A network authentication node associated with 
the requested network element intercepts the modified 

15 request and examines it. If the network authentication node 
determines that the modified request reflects the most cur- 
rent key that the node has received from the key server, then 
access to the network element is granted. If the authentica- 
tion node determines that the request does not reflect the 

20 appropriate authentication key, then access will be denied. 
The network authentication nodes can therefore act as gates 
to the network elements which may be traversed only after 
a user has been authenticated by the network authentication 
key server. 

25 In accordance with this arrangement, the network authen- 
tication node can operate in a mode that is transparent to 
both the user and to the network elements. In one embodi- 
ment of the invention, the network authentication key server 
includes a database which is examined to determine which 

30 network elements, if any, a given user is permitted to access. 
Further advantages and details regarding the present 
invention will be described below. 

BRIEF DESCRIPTION OF THE DRAWINGS 

35 

FIG. 1 illustrates an example of a communication network 
arrangement which is known. 

FIG. 2 illustrates an example of a communication network 
such as that shown in FIG. 1, modified to include an 
40 embodiment of the present invention. 

FIG. 3 provides a block diagram of one example of an 
embodiment of a network authentication key server of FIG. 
2. 

FIG. 4 is a block diagram that illustrates one example of 
an embodiment of a network authentication node illustrated 
in FIG. 2. 

DETAILED DESCRIFHON 

50 In accordance with the present invention, authentication 
techniques are provided in a communication network so as 
to limit user access to individual network elements which 
may have disparate operating systems or may be supplied by 
different vendors. An example of a system employing an 

55 embodiment of the present invention is illustrated in FIG. 2. 
In regard to its network elements, FIG. 2 is very similar to 
FIG. 1. In fact, hke elements in the two figures bear like 
reference numerals. The new elements in FIG, 2 — namely 
the authentication key server 201 and the networic aulhen- 

60 licator nodes (NA) 205A, 205B, 205C and 205D-^re the 
elements that provide the access limitation sought in the 
present invention. (These elements are also referred to 
herein as "authenticating" and "aulhenticator" key servers or 
nodes.) More specifically, the network authenticating key 

65 server (NAKS) 201 generates a key. This key can be a 
multi-bit key, for example 128 bits. In addition, the key can 
be periodically generated so that a new key is produced at 
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Specified time inteivals. These are examples of techniques In one embodiment of the present invention, the request 

for providing an authentication key and other techniques can be modified to incorporate the actual generated key in 

may be employed. What is significant is that there is some either a header or a trailer of the request. Then, when a 

authentication code generated by a server and transmitted to network authenticating node associated with the requested 
various network authentication nodes for subsequent use by 5 network element intercepts the request, it can easily strip 

those nodes in deciding whether to allow or deny access to ^way the appended key and determine whether that key 

an associated network element. matches the current key maintained by the network auihen- 

In regard to the network authentication nodes, it is shown treating node. If the keys match, then the node can pass the 

in the figure that each network authentication node is request through to the network element. In the embodiment 
associated with a network element. For example, network ^ ^^^jj ^j^^^ ^^e processor 403, upon 

authentication node 205 A is associated with network ele- detecting that a received request contains a kev corresnond 

ment SCP103. Similarly, network authenticating node 205B • „ . „,u.vk ;^ ..*™^ 

. , J V irto * 1 *u *■ * ing to ttiatwhicn IS stored in the key register 4U1, can control 

is associated with a switch 108. These network authenticator , .^e * n * i u jc 

nodes are shown in dashed lines to represent that they are "^1^° '1^^ ? LTr^ to be passed from 

substantiaUy transparent to the rest of the network and to the "^Pf Pf^ to an output port 407 and thus on to the 

user. In operation, the network authenticating nodes receive network clement. The network authenticator is transparent 
a current key generated by the network authenticating key authenticating node does not detect the 

server. This key is then held by the authenticating node. In current key in the user's request, then the request can be 

a sample embodiment of such a node as shown in FIG. 4, the dropped by the node and thus never passed through to the 

key can be maintained in a key register, 401. The key could requested network element. 

be maintained alternatively in some other device capable of 20 Not only is the authenticating node transparent to the user, 

storing the key for at least as long as it lakes for a new key but the key itself is transparent to the user. The user never 

to be generated. The network authenticating node may also receives a copy of the key which is used to allow access to 

include a processor 403 and a gate 405 interposed between ^ network element. Instead, the user at best maintains the 

ports 406 and 407. Operation of the network authenticator identification information necessary to represent who the 
node will be described with reference to these elements; 25 user is and then the network authenticating key server and 

however it should be noted that alternative configurations ^^^^^^^ authenticating node operate together so as to con- 

can be provided for the network authenticator which will ,1 ^ * *u *j ; 11 * 

1 -J f . • 1 J trol access to the requested network clement, 

also provide the functionality of storing a key and then ^ 

comparing the stored key against a user key. I" one embodiment of the present invention, the solution 
An example of the network authenticating key server is of providing this authorization process is hardware -based 
illustrated in FIG. 3. In this example the server includes a ^nd operates between a physical and dataUnk layer of the 
processor 301. a key generator 302, a subscriber database OSI model. The server can be a general purpose UNIX 
303 and a port 304. All of the elements are connected to one computer that holds a repository of user identifiers and 
another via some sort of internal bus architecture. The key passwords, along with profiles that specify the network 
generator could be a pseudo-random number generator or elements which various end users are allowed to access. The 
any type of key generator known in the art. The processor authenticator node can be a "black box" that has its own 
can assure that keys are periodically transmitted from the specialized operating system compatible with the server, 
key server to the various network authenticating nodes as The node can communicate directly with the server. In 
required by the implementation selected. The subscriber addition, in one of the embodiments the key is inserted into 
database can be used by the processor so as to detennine iije header of the TCP/IP message which constitutes the 
access privileges of a given user as will be described below. 40 ^^^^^^^ ^^e network element. The key can be changed 
In operation, once the server has transmitted a key to the periodically so that it is possible that a given user will 
various network authentication nodes, it awaits receipt of a attempt to access the same network element at difiterent 
user*s access request with regard to a given network ele- ^^^^^ ^nd the server will use different keys at those different 
ment. For example, suppose that the user of device 101 seeks ^^^^^ purposes of permitting access to the network 
access to the voice mail server, VMS 107. The user's request 45 ^^^^^^^ ^^^^ ^ circumstance, the user is not ever aware 
is detected by the network authenucatmg key server. The ^^^^ ^^^^^^^ ^ ^^^^ ^^^^ authorize the access, 
authenticating key server either asks for or simply receives _ . . , « m- /• 
information identifying the user. Such information could be ^h^ P^^^"^ P^°^^^,^« flexibility for con- 
constituted by some sort of user id/user password combina- |f?J>"g ^^^^^f ^^^^^^^ ^^^^^^"^ ^j^.^i "^^V ^"PP^^^^ 
tion. Alternatively, user identification information could be 50 different vendors and/or may have different operating sys- 
constituted by such things as a calling party telephone ^^^f ^^^5^ make providing a unified solution to access 
number identified by ANI (Automatic Numbering control difficult. The solution proposed by ^ 
Information). The specific identification information is not provides equipment that is essentially transparent to the 
critical. What is important is that the server be able to user and avoids placing the access control keys m the hands 
identify the user with reasonable accuracy. Once the user is 55 ^"^^^^ ^"""S authorization process, 
identified, the server can then examine the subscriber data- While this invention has been described with specific 
base and determine whether the identified user is authorized embodiments thereof, it is evident that many alternatives, 
to access the network element to which the user's request is modifications, and variations will be apparent to those 
directed. If the network authenticating key server delects s^dWcd in the art. Accordingly, the preferred embodiments of 
that the user does not have authorization to access the 60 the invention as set forth herein are intended to be 
network element, then the request can be discarded or illustrative, not limiting. Various changes may be made 
dropped. If, however, the network authenticating key server without departing from the spirit and scope of the invention, 
determines that the user is authorized to access the network What is claimed is: 

element, then the server can modify the request so as to 1- A method for authenticating access to a network 
somehow reflect the current key information which has 65 element, comprising: 

already been passed on to the various network authenticating periodically transmitting a key to a plurality of network 

nodes. authenticator nodes; and 
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in response to a request to access the network element, if 
the user is authorized to access the network element, 
transmitting the request to one of the network authen- 
ticator nodes along with a current key. 

2. The method of claim 1, wherein said network element 5 
is a signal control point. 

3. The method of claim 1, wherein said network element 
is a signal transfer point. 

4. The method of claim 1, wherein said network element 

is a terminal server. lO 

5. The method of claim 1, further comprising: 
identifying the user; and 

examining a subscriber database to determine whether the 
identified user is authorized to access the network 
element, 

6. The method of claim 5, wherein said identifying 
comprises receiving a user identifier and password combi- 
nation. 

7. The method of claim 5, wherein said identifying 
comprises receiving a user telephone number. 

8. The method of claim 1, wherein said modifying com- 
prises inserting the key into a TCP/IP header for the request, 

9. The method of claim 1, wherein said modifying com- 
prises appending the key to the request. 

10. The method of claim 1, further comprising: 
periodically changing the key to create a different key; 

and 

periodically transmitting the different key to the plurality 
of network authenticalor nodes. 30 

11. An apparatus for authenticating access to a network 
element, comprising: 

a key generator; 

a subscriber database; and 

a processor coupled to the key generator and the sub- 
scriber database, the processor being adaptively con- 
figured to: 

transmit a key generated by the key generator to a 
plurality of network authenticator nodes, 

in response to a user request for access, examine the 
subscriber database to determine whether the user is 
authorized for the requested access, and 

transmit the request along with the key. 

12. The apparatus of claim 11, wherein said key generator 
comprises a pseudo-random number generator, 

13. The apparatus of claim 11, wherein said key generated 
by the key generator comprises a periodically changing key. 

14. A computer-readable medium having stored thereon 
instructions for authenticating access to a network element, 
the instructions, when executed by a processor, causing the 
processor to: 

periodically transmit a key to a plurality of network 

authenticator nodes; and 
in response to a request to access the network element, if 

the user is authorized to access the network element. 
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transmit the request to one of the network authenticator 
nodes along with a current key. 

15. The computer-readable medium of claim 14, having 
stored thereon instructions that, when executed by the 
processor, further cause the processor to: 

identify the user; and 

examine a subscriber database to determine whether the 
identified user is authorized to access the network 
element. 

16. The computer- re ad able medium of claim 14, having 
stored thereon instructions that, when executed by the 
processor, fiirthcr cause the processor to insert the key into 
a TCP/IP header for the request. 

17. The computer-readable medium of claim 14, having 
stored thereon instructions that, when executed by the 
processor, further cause the processor to append the key to 
the request. 

18. A method of granting access to a network element, 
comprising, at a network authenticator node: 

intercepting a user request addressed to the network 
element, 

comparing a key from the user request to a key previously 
received at the network authenticator node, and 

if the keys agree, passing the user request to the network 
element. 

19. The method of claim 18, wherein the intercepted user 
request is transmitted from a key server. 

20. The method of claim 18. further comprising periodi- 
cally receiving keys from a key server, wherein the com- 
paring compares the key from the user request against a most 
recently received key from the key server. 

21. The method of claim 18, wherein operation of the 
method is transparent to the network element. 

22. The method of claim 18, further comprising, if the 
keys do not agree, preventing the network element from 
receiving the user request. 

23. A method for authenticating access to a network 
element, comprising: 

at a key server: 
periodically transmitting a key to a plurality of network 

authenticator nodes, and 
in response to a request to access the network element, 

if the user is authorized to access the network 

element, transmitting the request a network element 

along with a most current key; 
at a network authenticator node: 

intercepting a user request addressed to the network 

element, 

comparing a key from the user request to a key previ- 
ously received at the network authenticator node, 
and 

if the keys agree, passing the user request to the 
network element. 



03/31/2004, EAST Version: 1.4.1 



